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This work tackles the problem of using Model Checking for the purpose of 
verifying the HSTS planning system. HSTS is the planner and scheduler of the 
remote agent autonomous control system deployed in Deep Space One ( DS 1 ) [S] . 
Model Checking allows for the verification of domain models as well as planning 
engines. We have chosen the real-time model checker UPPAAL for this work 
[6]. We start by motivating our work in the Introduction. Then we give a brief 
description of HSTS and UPPAAL. After that, we give a sketch for the mapping 
of HSTS models into UPPAAL and we present samples of plan model properties 
one may want to verify. 

1 Introduction 

AI technologies, and specifically AI planning, facilitates the elicitation and au- 
tomatic manipulation of system level constraints. However, the models used by 
the planner still need to be verified, i.e., it is necessary to guarantee that no un- 
intended consequences will arise. One question that comes to mind is whether 
the most advanced techniques used in software verification, specifically model 
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checking. can help. 

Tin? most u sed model chocking formalisms, however, cannot easily represent 
constraints that are naturally represented by HSTS. namely continuous time 
and other continuous parameters. Also, the goal of HSTS is to provide an 
expressive language to facilitate knowledge acquisition by non AI experts (e.g.. 
system engineers) So. HSTS models cannot be easily translated into a model 
checking formalism. To allow model checking algorithms to operate on HSTS 
models we. therefore, need a mapping between a subset of the HSTS Domain 
Description Language to a model checking formalism. An earlier attempt to 
analyze HSTS planner models, where no metrics were considered, is described 
in [10]. 

We choose UPPAAL because it can represent time (section 3), it is compara- 
ble to HSTS in terms of representation and search since they are both constraint 
based systems, and has been successfully applied to several verification cases of 
real-time systems of industrial interest [4, 3]. 

Some of the issues that we are interested in addressing in this research are: 

L Whether model checking techniques can address problems of the size of a 
realistic autonomy planning application; 

2. Once we have a mapping from a planner model into a model checking 
formalism, what the core differences between the search method used in 
model checking and that used by a planner are; and 

3. Lessons, if any, that planning can take from model checking and vice versa 
regarding representation, search control, and other aspects. Related work 
can be found in [1, 2]. 

2 HSTS 

HSTS, Heuristic Scheduling Testbed System, is a general constraint-based plan- 
ner and scheduler. It is also one of four components that constitutes the Remote 
Agent Autonomous system which was used for the Remote Agent Experiment, 
(RAX), in May of 1999, for autonomous control of the Deep Space 1 space- 
craft [8]. 
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HSTS consists of ;i planning origin.: that takes a plan model, in addition to 
a goal, as input and produces a complete plan. A plan model is a description 
of the domain given as a set of objects and constraints. The produced plan 
achieves the specified goal and satisfies the constraints in the plan model. 

In more detail, an HSTS plan model is based on a collection of entities, 
called state variables, that can be in different states, represented as predicate 
values. Therefore, predicates represent "spans'’, or intervals, on state variables. 
A set of compatibilities between predicates is specified. The compatibilities are 
temporal constraints, which may involve durations, between end points of pred- 
icate values. For example, ’’predl meets pred2” indicates that the end of predl 
(certain predicate value) should coincide with the start of pred2 (another pred- 
icate value): and "predl before[3.5] pred2" indicates that the distance between 
the end of predl and the start of pred2 is between 3 and 5. An HSTS plan is a 
complete assignment of predicate values for all the state variables that satisfy 
all compatibilities. 

HSTS ensures robustness of schedules by allowing tor flexible temporal repre- 
sentations The quality of generated plans is improved by interleaving planning 
and scheduling, rather than performing them separately. HSTS also allows nat- 
ural and efficient handling of concurrent processes, and the modeling language 
is simple in its uniform representation of actions and states. HSTS has a rich 
language for expressing temporal relation constraints [9, 5]. 

3 UPPAAL 

UPPAAL, an acronym based on a combination of UPPsala and AALborg uni- 
versities, is a tool box for modeling, simulation, and verification of real-time 
systems. The simulator is used for interactive and automated analysis of system 
behavior during early design stages while the verifier, which is a model-checker, 
covers the exhaustive dynamic behavior of the system for proving safety and 
bounded liveness properties. The verifier, which is a symbolic model checker, is 
implemented using sophisticated constraint-solving techniques where efficiency 
and optimization are emphasized. Space reduction is accomplished by both lo- 
cal and global reductions. The local reduction involves reducing the amount 
of space a symbolic state occupies and is accomplished by the compact rep- 
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resell tat ion of Difference Bounded Matrix (DBM) tor clock constraints. The 
global reduction involves reducing the number of states to save during a course 
of reachability analysis [II, 7]. 

A UPPAAL model consists of a set of timed automata, a set of local clocks, 
global variables, and synchronizing channels. A node in an automaton may be 
associated with an invariant, which is a set of clock constraints, for enforcing 
transitions out of the node. An arc may be associated with a guard for con- 
trolling when this transition can be taken. On any transition, local clocks may 
get reset and global variables may get re-assigned. A trace in LPPAAL is a 
sequence of states, each of which containing a complete specification of a node 
from each automata, such that each state is the result of a valid transition from 
the previous state. 

UPPAAL had been proven to be a useful model-checking tool for many 
domains including distributed multimedia and power controller applications [4. 
3j. 

4 Mapping HSTS models into UPPAAL 

Here, we present a sketch of the translation from HSTS plan models into l P- 
PAAL models. Definitions for used terms, and a more formal translation algo- 
rithm, are to be provided in the final paper. 

Each state variable is represented as a UPPAAL automaton where each value 
predicate is represented as a node. Transitions of an automaton represent value 
ordering constraints of the corresponding state variable. Each predicate value 
is mapped into a main node and two chains of nodes that are of zero duration 
each. The first chain represents the start of the value span and all its constraints. 
The second chain represents the end of the value span and ail its constraints. 
Duration constraints are translated into invariants and guards of local clocks. 
Temporal relation constraints are implemented through communication chan- 
nels. 

A goal in HSTS corresponds to a property in UPPAAL. Similarly, a plan 
in HSTS corresponds to an execution trace in UPPAAL. More details, with 
supporting examples, will be given in the final paper. 
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5 Properties for Verification 


ITPAAL allows for verifying properties that, are useful for ensuring correctness 
and detecting inconsistencies and Haws in HSTS plan model. For example. 
L'PPAAL is able to verify the existence of complete plans that satisfy given 
constraints. It can also detects the mutual exclusion properties of predicate 
values. 

Our experience on a sample problem of a rover that can go from one location 
to another to collect rocks showed the usefulness, and success, of using UPPAAL 
for model checking HSTS. More details on this experiment are to be provided 
in the final paper. 

6 Summary 

Our work tackles the problem of using Model Checking for the purpose of veri- 
fying planning systems. 

We have constructed an algorithm that maps plan models into timed au- 
tomata. The algorithm works well for translating models of limited size and 
complexity. Since complete constraint planning models are much too complex 
for a complete translation into a model checking formalism, there is a need for 
building representative "abstract’’ models. We will investigate such abstraction 
in the near future. 

After translating a plan model, properties can be checked for detecting in- 
consistencies and incompleteness in the model. In addition, the model checking 
search engine can be used as an independent problem solving mechanism for 
verifying the planning engine. This is possible because goals can be mapped 
into properties and traces correspond to plans. 

We are currently working on identifying a set of verification properties that 
guarantee a certain degree of coverage for HSTS models and the Planning engine. 
We are also analyzing the benefits, and limitations, of using a model checker for 
HSTS verification. 
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